Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

4.
• We discovered this
May 2012
• Met with the Feds ;-)
Why you should listen to me?
MalwareArchaeology.com
2014 - We gave an infected VM to one of the Big
IR Firms… They came back “Yup.. It’s clean” #Fail

13.
Initial Infectors
• Perflogs
– C.exe – Communication to infected system
• Thanks for the Port and Password
• For once WE compromised THEM!
Now who is “sophisticated” ;-)
• PROOF of the power of Command Line Logging!
MalwareArchaeology.com

17.
Angler delivered Kovtar
• Unique way to hide the persistence
• Inserted a null byte in the name of the Run
key so that RegEdit and Reg Query fail to read
and display the value
MalwareArchaeology.com

19.
Dridex Persistence
• New method towards the end of 2015
• Nothing in the Registry showing persistence while
system was running
• In memory only until system shutdown
• Then we caught the bugger, with good auditing of
course and
MalwareArchaeology.com

22.
So what is the #1 logging item?
Command Line Logging !!!!
• At the time of Winnti 2014 ONLY Win 8.1 and Win
2012 R2
• Which we had, then we saw this in our alerts of
suspicious commands (Cscript & cmd.exe & cacls &
net & takeown & pushd & attrib)
• Scripts too
MalwareArchaeology.com

23.
Hidden in the Registry
• Command Line execution led us to Registry Keys.
The main payload and scripts to infect were stored in
the registry – Classes and Client Keys
MalwareArchaeology.com

24.
Hidden in the Registry
• HEX in some cases where infection was not complete
or when we recreated it in the lab because we were
missing something (the infected persistence binary)
• A Binary when complete, encrypted in some way
MalwareArchaeology.com

25.
Hiding in the Registry
• This was new for WINNTI 2014, other
advanced malware uses this method too
• They added three values to the Keys
• HKLMSoftwareClients or Classes
– putfile
– file
– read
• This found on only a few systems to hide another backdoor
– HKLMSoftwareWow6432NodeBINARYAcrobat.dxe
MalwareArchaeology.com

27.
Persistence
• Infector… One for the DLL (infect.exe) and
one for the Driver (InfectSys.exe)
• Altered system management binaries
– McAfeeFrameworkService
– BESClientHelper
– Attempted a few others, some failed
MalwareArchaeology.com
• We tried the infector on several
other system files and it worked

28.
Persistence
• Infected management binary read key, decrypted
payload and dropped into:
– Program FilesCommon Files
• NOW WERCplSupport ServiceDll exists!
• As soon as it was loaded… it was deleted making
it hard for us to find it
MalwareArchaeology.com
But we were better
than that ;-)

29.
So what led us there?
• Malware Discovery Baseline
• Compared infected system hashes (Suspect) to a
known good system hashes (Master-Digest)
• Showed some single hashes in directories that
were odd to us (our own management software)?
• So we looked for these binaries across all systems
• ONLY the infected systems had these odd hashes
MalwareArchaeology.com

31.
FINALLY !
• Malware Management allowed us to setup
alerts on artifacts from other malware analysis
– Retailers and all of us really need to learn this
• Of course our own experience too
• Malware Discovery allowed us to find odd file
hashes, command line details, registry locations
• Malware Analysis gave us the details
MalwareArchaeology.com

34.
Log Management
• This is the BEST Security Tool, because it is not
your typical security tool
• Not all of us can afford 100% coverage with
our Log Management solution
• It is recommended you should have 100%
coverage, so get it on the budget radar
• Logging and Auditing provides the details
needed to understand and discover the
malicious behavior
MalwareArchaeology.com

35.
But I don’t have Log Management
• How many of us have 100% coverage on all
endpoints, network devices, email and web
gateways, IDS/IPS, applications, etc.
• I usually see 10% raise their hands
• So what is there for the rest of us?
• Critical to enable and configure and collect the
logs locally at a minimum
• You will increase your chance to catch things
MalwareArchaeology.com

36.
What to do without Log Management
• Enable and configure logging and auditing on
all systems
• Best chance you have
• For Windows systems there wasn’t anything
worth while to evaluate the things we needed
to collect the malicious activity outside having
everything in log management
MalwareArchaeology.com

37.
Since it didn’t exist
We created it!
So you can do it too!
MalwareArchaeology.com

38.
LOG-MD.COM
• Log and Malicious Discovery tool
• When you run the tool, it tells you what
auditing and settings to configure that it
requires
• LOG-MD won’t harvest anything until you
properly configure the system!

39.
Purpose
LOG-MD.COM
• Improve and promote Logging and Auditing
• Help MOVE or PUSH security forward
• Malware Analysis Lab
• Investigate a suspect system
• Audit - Advanced Audit Policy settings
• Give the IR folks what they need and the Feds too
• Take a full system (File and Registry) snapshot to compare to
another system and report the differences
• Discover tricky malware artifacts – Retail PoS malware and APT
• Deploy with anything you want, SCCM, LanDesk, PSExec, PS, etc…
• Replace several tools we use today with one easy to use utility that
does much more
• To answer the question: Is this system infected or clean?
• And do it quickly ! SPEED !

40.
Improve your Logging and Auditing
LOG-MD.COM
• Guides you enable and configure Windows
logging and auditing
• With or Without Log Management
• Helps makes your log management better!
• Guides you to enable and configure File and
Registry auditing to catch the bad stuff when
it happens
• When you don’t have a log management
solution, gives you something you can use

41.
Free Edition
LOG-MD.COM
• Harvest security relevant log data
• Whitelist log events by IP, Cmd Line, Process
and File / Registry audit locations
• Perform a full File Baseline of a system
• Compare a suspect system to a Baseline or Dir
• Perform a full Registry snapshot of a system
• Compare a suspect system to a Reg Baseline
• Look for Large Registry Keys for hidden
payloads

48.
So what is the goal of proper logging?
LOG-MD.COM
• WHAT Processes executed
• WHERE it executed from
• IP’s to enter into Log Management to see
WHO else opened the malware
• Details needed to remediate infection
• Details to improve your Active Defense!
• I did this in…
15 Minutes!

49.
So what tools worked?
MalwareArchaeology.com
• Log Management is #1, by far
• A tool that allows you to ask a system a question
– BigFix (Best Blue Team and IR Tool hands down – My favorite)
– Tanium
– Google Grr Rapid Response
– Mozilla InvestiGator
– Facebook OSQuery
• LOG-MD was created to fill the gap where agents did not
exist
• Malware Analysis in a Lab – Recreate payloads, execute
artifacts